Phishing Emails — How Not to Get Hooked
How malicious emails can infect your devices, compromise your privacy, and the best ways to avoid them.
What is Phishing?
Phishing is a type of cybercrime targeting people through email, phone, and text messages. The attacker poses as a legitimate or trusted source to deceive people into providing sensitive data such as passwords, Social Security numbers, or financial information.
The word phishing is derived from the words phreaking and fishing. Phreaking is a term from the early 1970s where hackers exploited phone systems to make free long-distance phone calls. Fishing is used because attackers will “cast their lure” and wait for an unsuspecting person to take the “bait”.
Phishing emails are phishing attempts sent through email. The goal continues to be getting sensitive information through deception and exploitation.
How to Know if You’re Being Phished Through Email?
Phishing emails can range from being riddled with typos and being blatantly obvious to well-crafted and very detailed. Regardless of the quality, phishing emails generally contain the same type of information.
Note: Information can vary based on the type of phishing email attack.
1. A Trusted Source
The email will look as though it is coming from a legitimate source. These may look like emails coming from companies that you know and trust. The attacker is trying to make you believe the email is coming from that company for you to take a specific action such as clicking a malicious link. Here is an example of a Phishing email made to look as if it were coming from Netflix.
2. Eliciting an Emotion
Phishing emails will attempt to elicit an emotion, such as fear, by stating that your account may have an issue or there has been suspicious activity. A malicious link will be provided that will ask for sensitive information or install malware on your device.
The phishing email above says that they’re “having some trouble with your current billing information” and “you may want to update your payment details”. There is also a banner at the top stating “Your account is on hold.”
Fear of having your Netflix subscription canceled may make you instinctively click the “UPDATE ACCOUNT NOW” button shown in the email.
3. A Malicious Link
A phishing email intends to get your information. Typically, an attacker will provide a malicious link to trick you into willingly providing your information. Links can also be used to install malware on your device.
These links will take you to a fraudulent website meant to appear legitimate. From there, you may be asked to log into a fake website where the attacker will steal your username and password. Attackers may ask for additional details such as credit card numbers or Social Security numbers.
The links in these emails are not legitimate and should never be clicked.
4. An Attachment
Malicious attachments may be sent through email disguised as an invoice, expense report, or tagged as “Important.” Never open an attachment from an unknown source.
These malicious files may have malware and viruses that will infect your devices. This can occur through macros and scripts within office documents or files with the extension .exe.
Again, never open an attachment from an untrusted source!
5 Ways to Protect Yourself From Phishing Emails
There are certain steps you should take to ensure you are protected from Phishing emails. Some are already built into the services you are using while others require a minimal amount of up-front work for a substantial long-term benefit.
1. Use the spam button on your email client.
Personal emails created on platforms such as Gmail, Yahoo, and Hotmail have spam filters built into their service. These filters catch the majority of spam, but some emails will make it through the filters. ZDNet reported that Gmail catches 99.9% of spam sent to Gmail accounts.
Messages not caught in the spam filter should be reported to your provider as spam. The message will be sent to the spam folder and future messages from the sender will either be blocked or sent to the spam folder automatically.
2. Validate the sender’s email address.
Phishing emails will not be sent from legitimate sources. They will be sent from sources that try to appear legitimate.
Display names may be made to look like a company name. Look closely at the sender’s email address and will see that the email did not originate from the company.
An example of a non-legitimate email address is “info@paypall.com”. The email is meant to look like it is coming from “@paypal.com”.
3. Do not click links or attachments from unknown sources.
Never blindly click on a link within an email. The link may display that it is taking you to a legitimate URL, but it may be sending you to a fraudulent or malicious website.
Hovering over a link will show you the URL of where that link goes. Do not trust the link without checking. Most phones can check the URL behind links as well.
This can’t be stated enough — Do not open attachments from unknown sources. Attachments in phishing emails are malicious and will infect your devices with malware.
4. Have up to date anti-virus installed.
Anti-virus will help detect any malicious files on your device and remove them. This can be helpful if you unknowingly download a malicious file from a phishing email.
5. Enable Multi-Factor Authentication (MFA) on your accounts.
If you click on a malicious link and type your credentials into a fraudulent website, the attacker will have your username and password.
However, MFA is a secondary layer of security that requires an additional PIN (usually between 4–8) characters that can be obtained through a text message, email, phone call, or authenticator app.
Wrapping Up
Phishing emails are becoming more clever to get people to provide their personal information to attackers. Following the 5 ways to protect yourself against phishing emails is a good first step in keeping your accounts and personal information safe and secure.
Attackers will devise new ways to trick us into giving them our information. We will continue to thwart their attempts and minimize their impact.
If you have any questions feel free to Tweet or PM me @mrkmety
